Comparing Methods of Windows Credential Theft

Let's start with the basics.

Windows credential theft is the act of extracting credentials from a Windows host. Pillaged credentials come in different forms, and depending on the situation, may allow an attacker to gain additional access. An attacker must have local administrator rights on a host in order to extract credentials.

Windows accounts can be split into two groups: Domain accounts and Local accounts. Local accounts only exist on the machine they are local to and cannot be used to access domain resources. Windows computers always have at least one local administrator account. Built-in local accounts cannot be removed.

Local account credentials are stored in the SAM registry hive on every modern Windows system. The SAM registry hive is also encrypted with a key found in the SECURITY registry hive, so to extract local account credentials, an attacker needs both registry hives.

Viewing local accounts on a Windows 10 workstation
Viewing local accounts on a Windows 10 workstation

On the other hand, Domain accounts are valid on any Domain-joined host, and are typically more valuable to an attacker than Local accounts.

Viewing Domain users on a Domain Controller
Viewing Domain users on a Domain Controller

In contrast to the decentralized nature of Local accounts, Domain accounts are stored in one place -- the Domain Controller database. Each DC has a copy of the Domain user database, and synchronize with each other regularly. Any DC you target should have an up-to-date domain user database.

By default, the Domain user database is located on every Domain Controller at the path C:\windows\ntds\ntds.dit. Like the Local user database, the Domain user database is encrypted, and needs the SYSTEM registry hive to extract its contents.

Account credentials are also cached in memory whenever a user logs in to a host. Specifically, the Lsass.exe process holds credentials of any logged-in users. These credentials are present in process memory and can be extracted while on the host. An attacker can also create a memory dump of the Lsass.exe process and extract credentials from the dump file at a later time.

Viewing logged in users in Task Manager
Viewing logged in users in Task Manager

To recap, there are three different places we can perform Windows credential theft:

  • SAM registry hive for Local accounts
  • NTDS.dit file on Domain Controllers for Domain accounts
  • Lsass.exe process for users who are logged in

WTF Microsoft?

If you come from a Linux background like me, you might be surprised to learn that Windows allows accounts to log in with a password hash. You can't log in to Linux systems with hashes found in /etc/shadow, but on Windows you can log in with the NTLM hashes extracted from SAM, NTDS.dit, or Lsass. This ancient technique is called pass-the-hash, and it means that NTLM password hashes are just as good as plaintext passwords.

Using the local admin plaintext password to log in
Using the local admin plaintext password to log in
Using the local admin NTLM hash to log in
Using the local admin NTLM hash to log in

As you can see, there's not much difference between using a plaintext password or NTLM hash to log in. This is important because the majority of credential material extracted from local SAM, NTDS.dit, or Lsass comes in the form of NTLM password hashes.

Tools of the trade.

Local credentials

These are the different methods for extracting local account credentials. Each method has pros and cons. Extracting credentials always requires local administrator or SYSTEM privileges.

5. Manual (Reg Save)

Though generally a manual method is less desired, knowing how to pull credentials manually is always valuable. Registry hives can be sent to files using the reg save command. These files can be transferred to an attacker controlled host for extraction.

Saving copies of the SYSTEM and SAM registry hives
Saving copies of the SYSTEM and SAM registry hives

Some antivirus will not allow you to save these files. Make sure they are several megabytes in size.

Viewing SAM and SYSTEM files on disk
Viewing SAM and SYSTEM files on disk

Local password hashes can be extracted after files are transferred. I use pypykatz to extract SAM hashes.

Extracting local account credentials from SAM and SYSTEM files
Extracting local account credentials from SAM and SYSTEM files
4. Mimikatz lsadump::sam

Mimikatz, everyone's favorite malware, is able to extract the local credentials -- because of course it can. It's so good that every antivirus picks it up as malware, leading to it being a less than ideal choice for an attacker.

Less detections than I would expect for the world's number one malware
Less detections than I would expect for the world's number one malware

Mimikatz, at least the official version, is a compiled Windows executable, which makes it harder to use in free C2 frameworks like Powershell Empire or Koadic. A Powershell version of Mimikatz, Invoke-Mimikatz, is available, but suffers much the same antivirus fate as the original.

Extracting credentials from the local SAM via Mimikatz lsadump::sam
Extracting credentials from the local SAM via Mimikatz lsadump::sam
3. Invoke-PowerDump

Invoke-PowerDump is a Powershell script for dumping local SAM. It was written (partially) by the one and only ReL1K, so you know it has to be good. This is my preferred method of dumping local SAM when restricted to Windows tools.

Extracting local SAM credentials via Invoke-PowerDump in Powershell
Extracting local SAM credentials via Invoke-PowerDump in Powershell
2. Secretsdump

Secretsdump is an impacket tool that can be used to extract local account credentials remotely. Unlike the tools used above, Secretsdump is written in Python, and meant to be run from an attacker controlled host -- typically a Linux or Mac operating system.

Extracting local credential data remotely with Secretsdump
Extracting local credential data remotely with Secretsdump

Secretsdump requires administrative credentials and access to the Service Control Manager (generally available on port 139 or 445) to start the Remote Registry service. Once Remote Registry is started, Secretsdump can pull SYSTEM and SAM registry hives and extract local credential material.

1. CrackMapExec (CME)

CrackMapExec is "the swiss army knife for pentesting". As the name implies, it does about everything you could want it to -- including dumping the local SAM from hosts. CME is an excellent tool because it supports a targets range or file, meaning we can dump the SAM of multiple hosts at the same time.

Dumping local SAM databases on all hosts in the subnet
Dumping local SAM databases on all hosts in the subnet

CME uses the same Remote Registry method to extract the SAM database that Secretsdump does. CME makes the top of my list for making it so easy to get a list of local credentials. It even looks great. If I am on Linux or Mac, CME is my preferred method of dumping the local SAM database.

Domain Credentials

The Domain database contains the username and NTLM password hash for every Domain user. Given the sensitivity of this data, only Domain Admins and accounts with DCSync rights, like Domain Controllers, are allowed to download it. These are different methods for extracting domain database credentials. Each method has its pros and cons.

3. Manual method using Ntdsutil or Vssadmin

On live Windows hosts, files like the NTDS.dit database file and SYSTEM, SAM, and SECURITY registry hives are locked by critical processes and cannot be copied with the standard Windows copy function.

Trying to make a copy of the NTDS.dit file
Trying to make a copy of the NTDS.dit file

We can use one of two utilities to get around this problem. The first is Vssadmin, a tool used to create and manage system snapshots on Windows.

We can create a filesystem snapshot with Vssadmin and use the snapshot files instead of the live NTDS.dit and SYSTEM files.

Creating a VSS snapshot and copying SYSTEM and NTDS.dit files from the snapshot
Creating a VSS snapshot and copying SYSTEM and NTDS.dit files from the snapshot

The second tool we can use is Ntdsutil. It is used to create backups and restore the Domain database in the event of database corruption or other catastrophic failure. Ntdsutil provides a convenient function to create copies of the NTDS.dit file and the SYSTEM hive, which is required for decryption of the NTDS database.

Creating copies of NTDS.dit, SYSTEM, and SAM with Ntdsutil
Creating copies of NTDS.dit, SYSTEM, and SAM with Ntdsutil
Viewing the files created by Ntdsutil
Viewing the files created by Ntdsutil

Once we transfer these files off of the Domain Controller, we can use Secretsdump to locally parse the files.

Extracting Domain account credentials from files using Secretsdump
Extracting Domain account credentials from files using Secretsdump
2. Mimikatz lsadump::dcsync

Mimikatz also has the ability to remotely extract Domain credentials using its DCSync function. Given the correct privileges, and that antivirus doesn't immediately delete Mimikatz, we can pull the credentials of all Domain users.

Using Mimikatz lsadump::dcsync to remotely extract all Domain credentials
Using Mimikatz lsadump::dcsync to remotely extract all Domain credentials
Viewing NTLM password hashes of two Domain users
Viewing NTLM password hashes of two Domain users

Given an attacker context of Powershell, a port of Mimikatz's DCSync function is available in Invoke-DCSync. Note that this Powershell script relies on reflective DLL injection to accomplish its goals, which can be undesirable from a detection standpoint.

Dumping Domain credentials with Invoke-DCSync
Dumping Domain credentials with Invoke-DCSync
1. Secretsdump live

In addition to local file parsing, Secretsdump also supports a live mode for the Domain database. We can use Domain Admin credentials (password or NTLM hash) and point Secretsdump at our target Domain Controller.

Extracting Domain credentials from a Linux host with Secretsdump
Extracting Domain credentials from a Linux host with Secretsdump

Secretsdump can also extract useful information like password history and password last set date. Secretsdump is my go-to during engagements. CrackMapExec also offers the same remote DCSync functionality as Secretsdump, but there doesn't seem to be any reason to use it over Secretsdump.

Both Secretsdump and CrackMapExec allow an attacker the option of using the VSS or DRSUAPI method for extracting Domain hashes. The VSS method executes Vssadmin commands over SMB to access the SYSTEM hive and NTDS.dit file. Data from these files are pulled off of Windows SMB shares. Wireshark traffic for this activity is shown below.

Network traffic for Domain credential theft via the VSS method
Network traffic for Domain credential theft via the VSS method

DRSUAPI is a Microsoft protocol used to synchronize the Active Directory user database between Domain Controllers -- thus the name, DCSync. DCSync allows Domain Admins (or equivalent) to imitate a Domain Controller, and requests a target DC to synchronize its Domain database. Mimikatz lsadump::dcsync always uses the DCSync method. Secretsdump and CrackMapExec use it by default.

A classic DCSync meme
A classic DCSync meme

Wireshark traffic for DRSUAPI DCSync method is shown below. Note that both VSS and DSRUAPI methods require SMB and TCP/445.

Network traffic for Domain credential theft via the DRSUAPI method
Network traffic for Domain credential theft via the DRSUAPI method

An attacker should be mindful of the method they use to steal the Domain database, and a defender should understand that alerts should be built for both techniques.

Logon credentials

There are different methods for extracting credentials from Lsass. Each technique has their pros and cons depending on the environment. Out of the types of credential extraction covered in this blog, logon credentials are by far the most valuable to an attacker. This is because extracting logon credentials will give the attacker credentials of every user currently logged in. This could be an employee's account on a workstation, a system administrator's account on a server, or a service account on either.

Viewing the currently logged on users using `query user` command
Viewing the currently logged on users using `query user` command
6. Mimikatz sekurlsa::logonpaswords

Mimikatz made the list 3 times, but that's no coincidence. Sure, there are newer and cooler tools, but let's pay some respect to the one that started it all. sekurlsa::logonpasswords is what Mimikatz is famous for. 

Password hashes for the other users are off screen
Password hashes for the other users are off screen

As mentioned earlier, Mimikatz has been signatured by nearly every antivirus software, generally making it a bad choice to use during operations.

5. SharpDump

There are a plethora of tools capable of dumping process memory. Instead of covering every single one, I picked a handful of my favorites.

Sharpdump is a C Sharp project part of the GhostPack tool set. As a compiled EXE file, it can be used to create memory dumps of a target process.

Dumping Lsass.exe process memory with SharpDump
Dumping Lsass.exe process memory with SharpDump

Credentials can be extracted from Lsass memory dumps with either Mimikatz or Pypykatz.

Pulling credentials out of the memory dump
Pulling credentials out of the memory dump

The output above shows password hashes for every user logged in, but the output is too long to show in a screenshot.

4. Out-Minidump

Powershell can still be useful -- don't let anyone tell you otherwise. Out-Minidump is a Powershell tool that can create process memory dumps.

Creating an Lsass minidump using Out-Minidump
Creating an Lsass minidump using Out-Minidump

Like the previous dump file, Pypykatz can be used to extract credentials from this memory dump.

3. Procdump

Procdump is part of the Windows Sysinternals tool suite. It can be used to create memory dumps of running processes. Since it is a legitimate tool and signed by Microsoft, the chances of antivirus software flagging it as malware are low.

Viewing the Microsoft digital signature on Procdump
Viewing the Microsoft digital signature on Procdump

The only downside is an attacker would have to upload the Procdump executable to the target host and delete it when they're done. Not only is that kind of annoying, it also gives the defenders another chance to catch us.

We can create a memory dump of Lsass with Procdump and extract credentials later with Pypykatz.

Creating a memory dump with Procdump -- remember to accept the EULA
Creating a memory dump with Procdump -- remember to accept the EULA
2. Comsvcs DLL

Windows actually already has native functionality to create memory dumps. Task Manager has a feature to create dump files.

Looking at the Lsass process details in Task Manager
Looking at the Lsass process details in Task Manager
Creating a dump file through Task Manager
Creating a dump file through Task Manager

This process is nice because it's native, and does not rely on any external executables, but it is only useful for an attacker if they can access the GUI. This puts a huge limiting factor on this method. If only there were a way we could use the Task Manager memory dump technique from the command line...

As it turns out, the memory dump routine is a function called MiniDump inside a DLL named comsvcs.dll. We can create a dump from the command line like this:

Using comsvcs.dll to create a memory dump of Lsass
Using comsvcs.dll to create a memory dump of Lsass

A caveat to this method: Creating a minidump with comsvcs DLL requires SeDebugPrivilege. Running Powershell as admin gives this privilege by default, but cmd.exe does not. If you want to use command prompt for some reason, you need to be running as NT AUTHORITY\SYSTEM.  We can use PsExec to go from an admin user to SYSTEM.

Using the Sysinternals PSExec binary to go from local admin to SYSTEM
Using the Sysinternals PSExec binary to go from local admin to SYSTEM

Comsvcs.dll is my favorite method to dump process memory from Lsass. The only downsides are the need to use rundll32.exe, which is a historically dirty LOLBin, and the fact that it has to read process memory of Lsass.exe.

1. Internal Monologue

Some antivirus blocks reading Lsass process memory all together, rendering all of the above methods useless. What do we do then? Internal Monologue is a tool written by Elad Shamir to recover logon credentials without directly touching Lsass at all.

Abusing the cryptographic insecurities of the NTLMv1 network authentication protocol (different than NTLM), it is possible to convert NTLMv1 hashes back to NTLMs. First, Internal Monologue downgrades a host's network authentication it uses from NTLMv2 to NTLMv1. Next, it impersonates every user logged in, and authenticates each user internally to itself to capture each user's NTLMv1 hash. When finished, original NTLM authentication settings are restored.

Extracting NTLMv1 network hashes using InternalMonologue
Extracting NTLMv1 network hashes using InternalMonologue

The entire keyspace for NTLMv1 with default challenge (1122334455667788) has been exhausted and can be reversed into NTLM hashes for free using Crack.sh.

Submitting a job to reverse the kclark user's NTLMv1 hash
Submitting a job to reverse the kclark user's NTLMv1 hash
The results email from crack.sh containing kclark's NTLM hash
The results email from crack.sh containing kclark's NTLM hash

Just like any other NTLM hash, we can use this to log into kclark's account.

Validating kclark's NTLM hash
Validating kclark's NTLM hash

Internal Monologue also comes in Powershell flavor. I prefer to use the Powershell version because I'm poor and don't want to drop binaries to disk.

Even with all this extra work to recover a single NTLM hash, Internal Monologue is at the top of my list for recovering logon credentials. There's no feeling better than sticking it to antivirus software that won't let you touch Lsass process memory.

TL;DR

These are the final scores for each tool based on how much I use each one.

Local credentials:
  1. CrackMapExec
  2. Secretsdump
  3. Invoke-PowerDump
  4. Mimikatz
  5. Manual
Domain credentials:
  1. Secretsdump
  2. Mimikatz
  3. Manual
Logon credentials:
  1. Internal Monologue
  2. Comsvcs.dll
  3. Procdump
  4. Out-Minidump
  5. SharpDump
  6. Mimikatz

This article was updated on August 14, 2020